|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Network Working Group D. Barr
|
|
cvsdist |
aa0a29 |
Request for Comments: 1912 The Pennsylvania State University
|
|
cvsdist |
aa0a29 |
Obsoletes: 1537 February 1996
|
|
cvsdist |
aa0a29 |
Category: Informational
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Common DNS Operational and Configuration Errors
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Status of this Memo
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
This memo provides information for the Internet community. This memo
|
|
cvsdist |
aa0a29 |
does not specify an Internet standard of any kind. Distribution of
|
|
cvsdist |
aa0a29 |
this memo is unlimited.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Abstract
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
This memo describes errors often found in both the operation of
|
|
cvsdist |
aa0a29 |
Domain Name System (DNS) servers, and in the data that these DNS
|
|
cvsdist |
aa0a29 |
servers contain. This memo tries to summarize current Internet
|
|
cvsdist |
aa0a29 |
requirements as well as common practice in the operation and
|
|
cvsdist |
aa0a29 |
configuration of the DNS. This memo also tries to summarize or
|
|
cvsdist |
aa0a29 |
expand upon issues raised in [RFC 1537].
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
1. Introduction
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Running a nameserver is not a trivial task. There are many things
|
|
cvsdist |
aa0a29 |
that can go wrong, and many decisions have to be made about what data
|
|
cvsdist |
aa0a29 |
to put in the DNS and how to set up servers. This memo attempts to
|
|
cvsdist |
aa0a29 |
address many of the common mistakes and pitfalls that are made in DNS
|
|
cvsdist |
aa0a29 |
data as well as in the operation of nameservers. Discussions are
|
|
cvsdist |
aa0a29 |
also made regarding some other relevant issues such as server or
|
|
cvsdist |
aa0a29 |
resolver bugs, and a few political issues with respect to the
|
|
cvsdist |
aa0a29 |
operation of DNS on the Internet.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
2. DNS Data
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
This section discusses problems people typically have with the DNS
|
|
cvsdist |
aa0a29 |
data in their nameserver, as found in the zone data files that the
|
|
cvsdist |
aa0a29 |
nameserver loads into memory.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
2.1 Inconsistent, Missing, or Bad Data
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Every Internet-reachable host should have a name. The consequences
|
|
cvsdist |
aa0a29 |
of this are becoming more and more obvious. Many services available
|
|
cvsdist |
aa0a29 |
on the Internet will not talk to you if you aren't correctly
|
|
cvsdist |
aa0a29 |
registered in the DNS.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Barr Informational [Page 1]
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
RFC 1912 Common DNS Errors February 1996
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Make sure your PTR and A records match. For every IP address, there
|
|
cvsdist |
aa0a29 |
should be a matching PTR record in the in-addr.arpa domain. If a
|
|
cvsdist |
aa0a29 |
host is multi-homed, (more than one IP address) make sure that all IP
|
|
cvsdist |
aa0a29 |
addresses have a corresponding PTR record (not just the first one).
|
|
cvsdist |
aa0a29 |
Failure to have matching PTR and A records can cause loss of Internet
|
|
cvsdist |
aa0a29 |
services similar to not being registered in the DNS at all. Also,
|
|
cvsdist |
aa0a29 |
PTR records must point back to a valid A record, not a alias defined
|
|
cvsdist |
aa0a29 |
by a CNAME. It is highly recommended that you use some software
|
|
cvsdist |
aa0a29 |
which automates this checking, or generate your DNS data from a
|
|
cvsdist |
aa0a29 |
database which automatically creates consistent data.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
DNS domain names consist of "labels" separated by single dots. The
|
|
cvsdist |
aa0a29 |
DNS is very liberal in its rules for the allowable characters in a
|
|
cvsdist |
aa0a29 |
domain name. However, if a domain name is used to name a host, it
|
|
cvsdist |
aa0a29 |
should follow rules restricting host names. Further if a name is
|
|
cvsdist |
aa0a29 |
used for mail, it must follow the naming rules for names in mail
|
|
cvsdist |
aa0a29 |
addresses.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Allowable characters in a label for a host name are only ASCII
|
|
cvsdist |
aa0a29 |
letters, digits, and the `-' character. Labels may not be all
|
|
cvsdist |
aa0a29 |
numbers, but may have a leading digit (e.g., 3com.com). Labels must
|
|
cvsdist |
aa0a29 |
end and begin only with a letter or digit. See [RFC 1035] and [RFC
|
|
cvsdist |
aa0a29 |
1123]. (Labels were initially restricted in [RFC 1035] to start with
|
|
cvsdist |
aa0a29 |
a letter, and some older hosts still reportedly have problems with
|
|
cvsdist |
aa0a29 |
the relaxation in [RFC 1123].) Note there are some Internet
|
|
cvsdist |
aa0a29 |
hostnames which violate this rule (411.org, 1776.com). The presence
|
|
cvsdist |
aa0a29 |
of underscores in a label is allowed in [RFC 1033], except [RFC 1033]
|
|
cvsdist |
aa0a29 |
is informational only and was not defining a standard. There is at
|
|
cvsdist |
aa0a29 |
least one popular TCP/IP implementation which currently refuses to
|
|
cvsdist |
aa0a29 |
talk to hosts named with underscores in them. It must be noted that
|
|
cvsdist |
aa0a29 |
the language in [1035] is such that these rules are voluntary -- they
|
|
cvsdist |
aa0a29 |
are there for those who wish to minimize problems. Note that the
|
|
cvsdist |
aa0a29 |
rules for Internet host names also apply to hosts and addresses used
|
|
cvsdist |
aa0a29 |
in SMTP (See RFC 821).
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
If a domain name is to be used for mail (not involving SMTP), it must
|
|
cvsdist |
aa0a29 |
follow the rules for mail in [RFC 822], which is actually more
|
|
cvsdist |
aa0a29 |
liberal than the above rules. Labels for mail can be any ASCII
|
|
cvsdist |
aa0a29 |
character except "specials", control characters, and whitespace
|
|
cvsdist |
aa0a29 |
characters. "Specials" are specific symbols used in the parsing of
|
|
cvsdist |
aa0a29 |
addresses. They are the characters "()<>@,;:\".[]". (The "!"
|
|
cvsdist |
aa0a29 |
character wasn't in [RFC 822], however it also shouldn't be used due
|
|
cvsdist |
aa0a29 |
to the conflict with UUCP mail as defined in RFC 976) However, since
|
|
cvsdist |
aa0a29 |
today almost all names which are used for mail on the Internet are
|
|
cvsdist |
aa0a29 |
also names used for hostnames, one rarely sees addresses using these
|
|
cvsdist |
aa0a29 |
relaxed standard, but mail software should be made liberal and robust
|
|
cvsdist |
aa0a29 |
enough to accept them.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Barr Informational [Page 2]
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
RFC 1912 Common DNS Errors February 1996
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
You should also be careful to not have addresses which are valid
|
|
cvsdist |
aa0a29 |
alternate syntaxes to the inet_ntoa() library call. For example 0xe
|
|
cvsdist |
aa0a29 |
is a valid name, but if you were to type "telnet 0xe", it would try
|
|
cvsdist |
aa0a29 |
to connect to IP address 0.0.0.14. It is also rumored that there
|
|
cvsdist |
aa0a29 |
exists some broken inet_ntoa() routines that treat an address like
|
|
cvsdist |
aa0a29 |
x400 as an IP address.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Certain operating systems have limitations on the length of their own
|
|
cvsdist |
aa0a29 |
hostname. While not strictly of issue to the DNS, you should be
|
|
cvsdist |
aa0a29 |
aware of your operating system's length limits before choosing the
|
|
cvsdist |
aa0a29 |
name of a host.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Remember that many resource records (abbreviated RR) take on more
|
|
cvsdist |
aa0a29 |
than one argument. HINFO requires two arguments, as does RP. If you
|
|
cvsdist |
aa0a29 |
don't supply enough arguments, servers sometime return garbage for
|
|
cvsdist |
aa0a29 |
the missing fields. If you need to include whitespace within any
|
|
cvsdist |
aa0a29 |
data, you must put the string in quotes.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
2.2 SOA records
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
In the SOA record of every zone, remember to fill in the e-mail
|
|
cvsdist |
aa0a29 |
address that will get to the person who maintains the DNS at your
|
|
cvsdist |
aa0a29 |
site (commonly referred to as "hostmaster"). The `@' in the e-mail
|
|
cvsdist |
aa0a29 |
must be replaced by a `.' first. Do not try to put an `@' sign in
|
|
cvsdist |
aa0a29 |
this address. If the local part of the address already contains a
|
|
cvsdist |
aa0a29 |
`.' (e.g., John.Smith@widget.xx), then you need to quote the `.' by
|
|
cvsdist |
aa0a29 |
preceding it with `\' character. (e.g., to become
|
|
cvsdist |
aa0a29 |
John\.Smith.widget.xx) Alternately (and preferred), you can just use
|
|
cvsdist |
aa0a29 |
the generic name `hostmaster', and use a mail alias to redirect it to
|
|
cvsdist |
aa0a29 |
the appropriate persons. There exists software which uses this field
|
|
cvsdist |
aa0a29 |
to automatically generate the e-mail address for the zone contact.
|
|
cvsdist |
aa0a29 |
This software will break if this field is improperly formatted. It
|
|
cvsdist |
aa0a29 |
is imperative that this address get to one or more real persons,
|
|
cvsdist |
aa0a29 |
because it is often used for everything from reporting bad DNS data
|
|
cvsdist |
aa0a29 |
to reporting security incidents.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Even though some BIND versions allow you to use a decimal in a serial
|
|
cvsdist |
aa0a29 |
number, don't. A decimal serial number is converted to an unsigned
|
|
cvsdist |
aa0a29 |
32-bit integer internally anyway. The formula for a n.m serial
|
|
cvsdist |
aa0a29 |
number is n*10^(3+int(0.9+log10(m))) + m which translates to
|
|
cvsdist |
aa0a29 |
something rather unexpected. For example it's routinely possible
|
|
cvsdist |
aa0a29 |
with a decimal serial number (perhaps automatically generated by
|
|
cvsdist |
aa0a29 |
SCCS) to be incremented such that it is numerically larger, but after
|
|
cvsdist |
aa0a29 |
the above conversion yield a serial number which is LOWER than
|
|
cvsdist |
aa0a29 |
before. Decimal serial numbers have been officially deprecated in
|
|
cvsdist |
aa0a29 |
recent BIND versions. The recommended syntax is YYYYMMDDnn
|
|
cvsdist |
aa0a29 |
(YYYY=year, MM=month, DD=day, nn=revision number. This won't
|
|
cvsdist |
aa0a29 |
overflow until the year 4294.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Barr Informational [Page 3]
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
RFC 1912 Common DNS Errors February 1996
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Choose logical values for the timer values in the SOA record (note
|
|
cvsdist |
aa0a29 |
values below must be expressed as seconds in the zone data):
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Refresh: How often a secondary will poll the primary server to see
|
|
cvsdist |
aa0a29 |
if the serial number for the zone has increased (so it knows
|
|
cvsdist |
aa0a29 |
to request a new copy of the data for the zone). Set this to
|
|
cvsdist |
aa0a29 |
how long your secondaries can comfortably contain out-of-date
|
|
cvsdist |
aa0a29 |
data. You can keep it short (20 mins to 2 hours) if you
|
|
cvsdist |
aa0a29 |
aren't worried about a small increase in bandwidth used, or
|
|
cvsdist |
aa0a29 |
longer (2-12 hours) if your Internet connection is slow or is
|
|
cvsdist |
aa0a29 |
started on demand. Recent BIND versions (4.9.3) have optional
|
|
cvsdist |
aa0a29 |
code to automatically notify secondaries that data has
|
|
cvsdist |
aa0a29 |
changed, allowing you to set this TTL to a long value (one
|
|
cvsdist |
aa0a29 |
day, or more).
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Retry: If a secondary was unable to contact the primary at the
|
|
cvsdist |
aa0a29 |
last refresh, wait the retry value before trying again. This
|
|
cvsdist |
aa0a29 |
value isn't as important as others, unless the secondary is on
|
|
cvsdist |
aa0a29 |
a distant network from the primary or the primary is more
|
|
cvsdist |
aa0a29 |
prone to outages. It's typically some fraction of the refresh
|
|
cvsdist |
aa0a29 |
interval.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Expire: How long a secondary will still treat its copy of the zone
|
|
cvsdist |
aa0a29 |
data as valid if it can't contact the primary. This value
|
|
cvsdist |
aa0a29 |
should be greater than how long a major outage would typically
|
|
cvsdist |
aa0a29 |
last, and must be greater than the minimum and retry
|
|
cvsdist |
aa0a29 |
intervals, to avoid having a secondary expire the data before
|
|
cvsdist |
aa0a29 |
it gets a chance to get a new copy. After a zone is expired a
|
|
cvsdist |
aa0a29 |
secondary will still continue to try to contact the primary,
|
|
cvsdist |
aa0a29 |
but it will no longer provide nameservice for the zone. 2-4
|
|
cvsdist |
aa0a29 |
weeks are suggested values.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Minimum: The default TTL (time-to-live) for resource records --
|
|
cvsdist |
aa0a29 |
how long data will remain in other nameservers' cache. ([RFC
|
|
cvsdist |
aa0a29 |
1035] defines this to be the minimum value, but servers seem
|
|
cvsdist |
aa0a29 |
to always implement this as the default value) This is by far
|
|
cvsdist |
aa0a29 |
the most important timer. Set this as large as is comfortable
|
|
cvsdist |
aa0a29 |
given how often you update your nameserver. If you plan to
|
|
cvsdist |
aa0a29 |
make major changes, it's a good idea to turn this value down
|
|
cvsdist |
aa0a29 |
temporarily beforehand. Then wait the previous minimum value,
|
|
cvsdist |
aa0a29 |
make your changes, verify their correctness, and turn this
|
|
cvsdist |
aa0a29 |
value back up. 1-5 days are typical values. Remember this
|
|
cvsdist |
aa0a29 |
value can be overridden on individual resource records.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Barr Informational [Page 4]
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
RFC 1912 Common DNS Errors February 1996
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
As you can see, the typical values above for the timers vary widely.
|
|
cvsdist |
aa0a29 |
Popular documentation like [RFC 1033] recommended a day for the
|
|
cvsdist |
aa0a29 |
minimum TTL, which is now considered too low except for zones with
|
|
cvsdist |
aa0a29 |
data that vary regularly. Once a DNS stabilizes, values on the order
|
|
cvsdist |
aa0a29 |
of 3 or more days are recommended. It is also recommended that you
|
|
cvsdist |
aa0a29 |
individually override the TTL on certain RRs which are often
|
|
cvsdist |
aa0a29 |
referenced and don't often change to have very large values (1-2
|
|
cvsdist |
aa0a29 |
weeks). Good examples of this are the MX, A, and PTR records of your
|
|
cvsdist |
aa0a29 |
mail host(s), the NS records of your zone, and the A records of your
|
|
cvsdist |
aa0a29 |
nameservers.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
2.3 Glue A Records
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Glue records are A records that are associated with NS records to
|
|
cvsdist |
aa0a29 |
provide "bootstrapping" information to the nameserver. For example:
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
podunk.xx. in ns ns1.podunk.xx.
|
|
cvsdist |
aa0a29 |
in ns ns2.podunk.xx.
|
|
cvsdist |
aa0a29 |
ns1.podunk.xx. in a 1.2.3.4
|
|
cvsdist |
aa0a29 |
ns2.podunk.xx. in a 1.2.3.5
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Here, the A records are referred to as "Glue records".
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Glue records are required only in forward zone files for nameservers
|
|
cvsdist |
aa0a29 |
that are located in the subdomain of the current zone that is being
|
|
cvsdist |
aa0a29 |
delegated. You shouldn't have any A records in an in-addr.arpa zone
|
|
cvsdist |
aa0a29 |
file (unless you're using RFC 1101-style encoding of subnet masks).
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
If your nameserver is multi-homed (has more than one IP address), you
|
|
cvsdist |
aa0a29 |
must list all of its addresses in the glue to avoid cache
|
|
cvsdist |
aa0a29 |
inconsistency due to differing TTL values, causing some lookups to
|
|
cvsdist |
aa0a29 |
not find all addresses for your nameserver.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Some people get in the bad habit of putting in a glue record whenever
|
|
cvsdist |
aa0a29 |
they add an NS record "just to make sure". Having duplicate glue
|
|
cvsdist |
aa0a29 |
records in your zone files just makes it harder when a nameserver
|
|
cvsdist |
aa0a29 |
moves to a new IP address, or is removed. You'll spend hours trying
|
|
cvsdist |
aa0a29 |
to figure out why random people still see the old IP address for some
|
|
cvsdist |
aa0a29 |
host, because someone forgot to change or remove a glue record in
|
|
cvsdist |
aa0a29 |
some other file. Newer BIND versions will ignore these extra glue
|
|
cvsdist |
aa0a29 |
records in local zone files.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Older BIND versions (4.8.3 and previous) have a problem where it
|
|
cvsdist |
aa0a29 |
inserts these extra glue records in the zone transfer data to
|
|
cvsdist |
aa0a29 |
secondaries. If one of these glues is wrong, the error can be
|
|
cvsdist |
aa0a29 |
propagated to other nameservers. If two nameservers are secondaries
|
|
cvsdist |
aa0a29 |
for other zones of each other, it's possible for one to continually
|
|
cvsdist |
aa0a29 |
pass old glue records back to the other. The only way to get rid of
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Barr Informational [Page 5]
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
RFC 1912 Common DNS Errors February 1996
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
the old data is to kill both of them, remove the saved backup files,
|
|
cvsdist |
aa0a29 |
and restart them. Combined with that those same versions also tend
|
|
cvsdist |
aa0a29 |
to become infected more easily with bogus data found in other non-
|
|
cvsdist |
aa0a29 |
secondary nameservers (like the root zone data).
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
2.4 CNAME records
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
A CNAME record is not allowed to coexist with any other data. In
|
|
cvsdist |
aa0a29 |
other words, if suzy.podunk.xx is an alias for sue.podunk.xx, you
|
|
cvsdist |
aa0a29 |
can't also have an MX record for suzy.podunk.edu, or an A record, or
|
|
cvsdist |
aa0a29 |
even a TXT record. Especially do not try to combine CNAMEs and NS
|
|
cvsdist |
aa0a29 |
records like this!:
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
podunk.xx. IN NS ns1
|
|
cvsdist |
aa0a29 |
IN NS ns2
|
|
cvsdist |
aa0a29 |
IN CNAME mary
|
|
cvsdist |
aa0a29 |
mary IN A 1.2.3.4
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
This is often attempted by inexperienced administrators as an obvious
|
|
cvsdist |
aa0a29 |
way to allow your domain name to also be a host. However, DNS
|
|
cvsdist |
aa0a29 |
servers like BIND will see the CNAME and refuse to add any other
|
|
cvsdist |
aa0a29 |
resources for that name. Since no other records are allowed to
|
|
cvsdist |
aa0a29 |
coexist with a CNAME, the NS entries are ignored. Therefore all the
|
|
cvsdist |
aa0a29 |
hosts in the podunk.xx domain are ignored as well!
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
If you want to have your domain also be a host, do the following:
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
podunk.xx. IN NS ns1
|
|
cvsdist |
aa0a29 |
IN NS ns2
|
|
cvsdist |
aa0a29 |
IN A 1.2.3.4
|
|
cvsdist |
aa0a29 |
mary IN A 1.2.3.4
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Don't go overboard with CNAMEs. Use them when renaming hosts, but
|
|
cvsdist |
aa0a29 |
plan to get rid of them (and inform your users). However CNAMEs are
|
|
cvsdist |
aa0a29 |
useful (and encouraged) for generalized names for servers -- `ftp'
|
|
cvsdist |
aa0a29 |
for your ftp server, `www' for your Web server, `gopher' for your
|
|
cvsdist |
aa0a29 |
Gopher server, `news' for your Usenet news server, etc.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Don't forget to delete the CNAMEs associated with a host if you
|
|
cvsdist |
aa0a29 |
delete the host it is an alias for. Such "stale CNAMEs" are a waste
|
|
cvsdist |
aa0a29 |
of resources.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Barr Informational [Page 6]
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
RFC 1912 Common DNS Errors February 1996
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Don't use CNAMEs in combination with RRs which point to other names
|
|
cvsdist |
aa0a29 |
like MX, CNAME, PTR and NS. (PTR is an exception if you want to
|
|
cvsdist |
aa0a29 |
implement classless in-addr delegation.) For example, this is
|
|
cvsdist |
aa0a29 |
strongly discouraged:
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
podunk.xx. IN MX mailhost
|
|
cvsdist |
aa0a29 |
mailhost IN CNAME mary
|
|
cvsdist |
aa0a29 |
mary IN A 1.2.3.4
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
[RFC 1034] in section 3.6.2 says this should not be done, and [RFC
|
|
cvsdist |
aa0a29 |
974] explicitly states that MX records shall not point to an alias
|
|
cvsdist |
aa0a29 |
defined by a CNAME. This results in unnecessary indirection in
|
|
cvsdist |
aa0a29 |
accessing the data, and DNS resolvers and servers need to work more
|
|
cvsdist |
aa0a29 |
to get the answer. If you really want to do this, you can accomplish
|
|
cvsdist |
aa0a29 |
the same thing by using a preprocessor such as m4 on your host files.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Also, having chained records such as CNAMEs pointing to CNAMEs may
|
|
cvsdist |
aa0a29 |
make administration issues easier, but is known to tickle bugs in
|
|
cvsdist |
aa0a29 |
some resolvers that fail to check loops correctly. As a result some
|
|
cvsdist |
aa0a29 |
hosts may not be able to resolve such names.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Having NS records pointing to a CNAME is bad and may conflict badly
|
|
cvsdist |
aa0a29 |
with current BIND servers. In fact, current BIND implementations
|
|
cvsdist |
aa0a29 |
will ignore such records, possibly leading to a lame delegation.
|
|
cvsdist |
aa0a29 |
There is a certain amount of security checking done in BIND to
|
|
cvsdist |
aa0a29 |
prevent spoofing DNS NS records. Also, older BIND servers reportedly
|
|
cvsdist |
aa0a29 |
will get caught in an infinite query loop trying to figure out the
|
|
cvsdist |
aa0a29 |
address for the aliased nameserver, causing a continuous stream of
|
|
cvsdist |
aa0a29 |
DNS requests to be sent.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
2.5 MX records
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
It is a good idea to give every host an MX record, even if it points
|
|
cvsdist |
aa0a29 |
to itself! Some mailers will cache MX records, but will always need
|
|
cvsdist |
aa0a29 |
to check for an MX before sending mail. If a site does not have an
|
|
cvsdist |
aa0a29 |
MX, then every piece of mail may result in one more resolver query,
|
|
cvsdist |
aa0a29 |
since the answer to the MX query often also contains the IP addresses
|
|
cvsdist |
aa0a29 |
of the MX hosts. Internet SMTP mailers are required by [RFC 1123] to
|
|
cvsdist |
aa0a29 |
support the MX mechanism.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Put MX records even on hosts that aren't intended to send or receive
|
|
cvsdist |
aa0a29 |
e-mail. If there is a security problem involving one of these hosts,
|
|
cvsdist |
aa0a29 |
some people will mistakenly send mail to postmaster or root at the
|
|
cvsdist |
aa0a29 |
site without checking first to see if it is a "real" host or just a
|
|
cvsdist |
aa0a29 |
terminal or personal computer that's not set up to accept e-mail. If
|
|
cvsdist |
aa0a29 |
you give it an MX record, then the e-mail can be redirected to a real
|
|
cvsdist |
aa0a29 |
person. Otherwise mail can just sit in a queue for hours or days
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Barr Informational [Page 7]
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
RFC 1912 Common DNS Errors February 1996
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
until the mailer gives up trying to send it.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Don't forget that whenever you add an MX record, you need to inform
|
|
cvsdist |
aa0a29 |
the target mailer if it is to treat the first host as "local". (The
|
|
cvsdist |
aa0a29 |
"Cw" flag in sendmail, for example)
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
If you add an MX record which points to an external host (e.g., for
|
|
cvsdist |
aa0a29 |
the purposes of backup mail routing) be sure to ask permission from
|
|
cvsdist |
aa0a29 |
that site first. Otherwise that site could get rather upset and take
|
|
cvsdist |
aa0a29 |
action (like throw your mail away, or appeal to higher authorities
|
|
cvsdist |
aa0a29 |
like your parent DNS administrator or network provider.)
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
2.6 Other Resource Records
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
2.6.1 WKS
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
WKS records are deprecated in [RFC 1123]. They serve no known useful
|
|
cvsdist |
aa0a29 |
function, except internally among LISP machines. Don't use them.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
2.6.2 HINFO
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
On the issue HINFO records, some will argue that these is a security
|
|
cvsdist |
aa0a29 |
problem (by broadcasting what vendor hardware and operating system
|
|
cvsdist |
aa0a29 |
you so people can run systematic attacks on known vendor security
|
|
cvsdist |
aa0a29 |
holes). If you do use them, you should keep up to date with known
|
|
cvsdist |
aa0a29 |
vendor security problems. However, they serve a useful purpose.
|
|
cvsdist |
aa0a29 |
Don't forget that HINFO requires two arguments, the hardware type,
|
|
cvsdist |
aa0a29 |
and the operating system.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
HINFO is sometimes abused to provide other information. The record
|
|
cvsdist |
aa0a29 |
is meant to provide specific information about the machine itself.
|
|
cvsdist |
aa0a29 |
If you need to express other information about the host in the DNS,
|
|
cvsdist |
aa0a29 |
use TXT.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
2.6.3 TXT
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
TXT records have no specific definition. You can put most anything
|
|
cvsdist |
aa0a29 |
in them. Some use it for a generic description of the host, some put
|
|
cvsdist |
aa0a29 |
specific information like its location, primary user, or maybe even a
|
|
cvsdist |
aa0a29 |
phone number.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
2.6.4 RP
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
RP records are relatively new. They are used to specify an e-mail
|
|
cvsdist |
aa0a29 |
address (see first paragraph of section 2.2) of the "Responsible
|
|
cvsdist |
aa0a29 |
Person" of the host, and the name of a TXT record where you can get
|
|
cvsdist |
aa0a29 |
more information. See [RFC 1183].
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Barr Informational [Page 8]
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
RFC 1912 Common DNS Errors February 1996
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
2.7 Wildcard records
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Wildcard MXs are useful mostly for non IP-connected sites. A common
|
|
cvsdist |
aa0a29 |
mistake is thinking that a wildcard MX for a zone will apply to all
|
|
cvsdist |
aa0a29 |
hosts in the zone. A wildcard MX will apply only to names in the
|
|
cvsdist |
aa0a29 |
zone which aren't listed in the DNS at all. e.g.,
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
podunk.xx. IN NS ns1
|
|
cvsdist |
aa0a29 |
IN NS ns2
|
|
cvsdist |
aa0a29 |
mary IN A 1.2.3.4
|
|
cvsdist |
aa0a29 |
*.podunk.xx. IN MX 5 sue
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Mail for mary.podunk.xx will be sent to itself for delivery. Only
|
|
cvsdist |
aa0a29 |
mail for jane.podunk.xx or any hosts you don't see above will be sent
|
|
cvsdist |
aa0a29 |
to the MX. For most Internet sites, wildcard MX records are not
|
|
cvsdist |
aa0a29 |
useful. You need to put explicit MX records on every host.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Wildcard MXs can be bad, because they make some operations succeed
|
|
cvsdist |
aa0a29 |
when they should fail instead. Consider the case where someone in
|
|
cvsdist |
aa0a29 |
the domain "widget.com" tries to send mail to "joe@larry". If the
|
|
cvsdist |
aa0a29 |
host "larry" doesn't actually exist, the mail should in fact bounce
|
|
cvsdist |
aa0a29 |
immediately. But because of domain searching the address gets
|
|
cvsdist |
aa0a29 |
resolved to "larry.widget.com", and because of the wildcard MX this
|
|
cvsdist |
aa0a29 |
is a valid address according to DNS. Or perhaps someone simply made
|
|
cvsdist |
aa0a29 |
a typo in the hostname portion of the address. The mail message then
|
|
cvsdist |
aa0a29 |
gets routed to the mail host, which then rejects the mail with
|
|
cvsdist |
aa0a29 |
strange error messages like "I refuse to talk to myself" or "Local
|
|
cvsdist |
aa0a29 |
configuration error".
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Wildcard MX records are good for when you have a large number of
|
|
cvsdist |
aa0a29 |
hosts which are not directly Internet-connected (for example, behind
|
|
cvsdist |
aa0a29 |
a firewall) and for administrative or political reasons it is too
|
|
cvsdist |
aa0a29 |
difficult to have individual MX records for every host, or to force
|
|
cvsdist |
aa0a29 |
all e-mail addresses to be "hidden" behind one or more domain names.
|
|
cvsdist |
aa0a29 |
In that case, you must divide your DNS into two parts, an internal
|
|
cvsdist |
aa0a29 |
DNS, and an external DNS. The external DNS will have only a few
|
|
cvsdist |
aa0a29 |
hosts and explicit MX records, and one or more wildcard MXs for each
|
|
cvsdist |
aa0a29 |
internal domain. Internally the DNS will be complete, with all
|
|
cvsdist |
aa0a29 |
explicit MX records and no wildcards.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Wildcard As and CNAMEs are possible too, and are really confusing to
|
|
cvsdist |
aa0a29 |
users, and a potential nightmare if used without thinking first. It
|
|
cvsdist |
aa0a29 |
could result (due again to domain searching) in any telnet/ftp
|
|
cvsdist |
aa0a29 |
attempts from within the domain to unknown hosts to be directed to
|
|
cvsdist |
aa0a29 |
one address. One such wildcard CNAME (in *.edu.com) caused
|
|
cvsdist |
aa0a29 |
Internet-wide loss of services and potential security nightmares due
|
|
cvsdist |
aa0a29 |
to unexpected interactions with domain searching. It resulted in
|
|
cvsdist |
aa0a29 |
swift fixes, and even an RFC ([RFC 1535]) documenting the problem.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Barr Informational [Page 9]
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
RFC 1912 Common DNS Errors February 1996
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
2.8 Authority and Delegation Errors (NS records)
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
You are required to have at least two nameservers for every domain,
|
|
cvsdist |
aa0a29 |
though more is preferred. Have secondaries outside your network. If
|
|
cvsdist |
aa0a29 |
the secondary isn't under your control, periodically check up on them
|
|
cvsdist |
aa0a29 |
and make sure they're getting current zone data from you. Queries to
|
|
cvsdist |
aa0a29 |
their nameserver about your hosts should always result in an
|
|
cvsdist |
aa0a29 |
"authoritative" response. If not, this is called a "lame
|
|
cvsdist |
aa0a29 |
delegation". A lame delegations exists when a nameserver is
|
|
cvsdist |
aa0a29 |
delegated responsibility for providing nameservice for a zone (via NS
|
|
cvsdist |
aa0a29 |
records) but is not performing nameservice for that zone (usually
|
|
cvsdist |
aa0a29 |
because it is not set up as a primary or secondary for the zone).
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
The "classic" lame delegation can be illustrated in this example:
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
podunk.xx. IN NS ns1.podunk.xx.
|
|
cvsdist |
aa0a29 |
IN NS ns0.widget.com.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
"podunk.xx" is a new domain which has recently been created, and
|
|
cvsdist |
aa0a29 |
"ns1.podunk.xx" has been set up to perform nameservice for the zone.
|
|
cvsdist |
aa0a29 |
They haven't quite finished everything yet and haven't made sure that
|
|
cvsdist |
aa0a29 |
the hostmaster at "ns0.widget.com" has set up to be a proper
|
|
cvsdist |
aa0a29 |
secondary, and thus has no information about the podunk.xx domain,
|
|
cvsdist |
aa0a29 |
even though the DNS says it is supposed to. Various things can
|
|
cvsdist |
aa0a29 |
happen depending on which nameserver is used. At best, extra DNS
|
|
cvsdist |
aa0a29 |
traffic will result from a lame delegation. At worst, you can get
|
|
cvsdist |
aa0a29 |
unresolved hosts and bounced e-mail.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Also, sometimes a nameserver is moved to another host or removed from
|
|
cvsdist |
aa0a29 |
the list of secondaries. Unfortunately due to caching of NS records,
|
|
cvsdist |
aa0a29 |
many sites will still think that a host is a secondary after that
|
|
cvsdist |
aa0a29 |
host has stopped providing nameservice. In order to prevent lame
|
|
cvsdist |
aa0a29 |
delegations while the cache is being aged, continue to provide
|
|
cvsdist |
aa0a29 |
nameservice on the old nameserver for the length of the maximum of
|
|
cvsdist |
aa0a29 |
the minimum plus refresh times for the zone and the parent zone.
|
|
cvsdist |
aa0a29 |
(See section 2.2)
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Whenever a primary or secondary is removed or changed, it takes a
|
|
cvsdist |
aa0a29 |
fair amount of human coordination among the parties involved. (The
|
|
cvsdist |
aa0a29 |
site itself, it's parent, and the site hosting the secondary) When a
|
|
cvsdist |
aa0a29 |
primary moves, make sure all secondaries have their named.boot files
|
|
cvsdist |
aa0a29 |
updated and their servers reloaded. When a secondary moves, make
|
|
cvsdist |
aa0a29 |
sure the address records at both the primary and parent level are
|
|
cvsdist |
aa0a29 |
changed.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
It's also been reported that some distant sites like to pick popular
|
|
cvsdist |
aa0a29 |
nameservers like "ns.uu.net" and just add it to their list of NS
|
|
cvsdist |
aa0a29 |
records in hopes that they will magically perform additional
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Barr Informational [Page 10]
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
RFC 1912 Common DNS Errors February 1996
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
nameservice for them. This is an even worse form of lame delegation,
|
|
cvsdist |
aa0a29 |
since this adds traffic to an already busy nameserver. Please
|
|
cvsdist |
aa0a29 |
contact the hostmasters of sites which have lame delegations.
|
|
cvsdist |
aa0a29 |
Various tools can be used to detect or actively find lame
|
|
cvsdist |
aa0a29 |
delegations. See the list of contributed software in the BIND
|
|
cvsdist |
aa0a29 |
distribution.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Make sure your parent domain has the same NS records for your zone as
|
|
cvsdist |
aa0a29 |
you do. (Don't forget your in-addr.arpa zones too!). Do not list
|
|
cvsdist |
aa0a29 |
too many (7 is the recommended maximum), as this just makes things
|
|
cvsdist |
aa0a29 |
harder to manage and is only really necessary for very popular top-
|
|
cvsdist |
aa0a29 |
level or root zones. You also run the risk of overflowing the 512-
|
|
cvsdist |
aa0a29 |
byte limit of a UDP packet in the response to an NS query. If this
|
|
cvsdist |
aa0a29 |
happens, resolvers will "fall back" to using TCP requests, resulting
|
|
cvsdist |
aa0a29 |
in increased load on your nameserver.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
It's important when picking geographic locations for secondary
|
|
cvsdist |
aa0a29 |
nameservers to minimize latency as well as increase reliability.
|
|
cvsdist |
aa0a29 |
Keep in mind network topologies. For example if your site is on the
|
|
cvsdist |
aa0a29 |
other end of a slow local or international link, consider a secondary
|
|
cvsdist |
aa0a29 |
on the other side of the link to decrease average latency. Contact
|
|
cvsdist |
aa0a29 |
your Internet service provider or parent domain contact for more
|
|
cvsdist |
aa0a29 |
information about secondaries which may be available to you.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
3. BIND operation
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
This section discusses common problems people have in the actual
|
|
cvsdist |
aa0a29 |
operation of the nameserver (specifically, BIND). Not only must the
|
|
cvsdist |
aa0a29 |
data be correct as explained above, but the nameserver must be
|
|
cvsdist |
aa0a29 |
operated correctly for the data to be made available.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
3.1 Serial numbers
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Each zone has a serial number associated with it. Its use is for
|
|
cvsdist |
aa0a29 |
keeping track of who has the most current data. If and only if the
|
|
cvsdist |
aa0a29 |
primary's serial number of the zone is greater will the secondary ask
|
|
cvsdist |
aa0a29 |
the primary for a copy of the new zone data (see special case below).
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Don't forget to change the serial number when you change data! If
|
|
cvsdist |
aa0a29 |
you don't, your secondaries will not transfer the new zone
|
|
cvsdist |
aa0a29 |
information. Automating the incrementing of the serial number with
|
|
cvsdist |
aa0a29 |
software is also a good idea.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
If you make a mistake and increment the serial number too high, and
|
|
cvsdist |
aa0a29 |
you want to reset the serial number to a lower value, use the
|
|
cvsdist |
aa0a29 |
following procedure:
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Barr Informational [Page 11]
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
RFC 1912 Common DNS Errors February 1996
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Take the `incorrect' serial number and add 2147483647 to it. If
|
|
cvsdist |
aa0a29 |
the number exceeds 4294967296, subtract 4294967296. Load the
|
|
cvsdist |
aa0a29 |
resulting number. Then wait 2 refresh periods to allow the zone
|
|
cvsdist |
aa0a29 |
to propagate to all servers.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Repeat above until the resulting serial number is less than the
|
|
cvsdist |
aa0a29 |
target serial number.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Up the serial number to the target serial number.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
This procedure won't work if one of your secondaries is running an
|
|
cvsdist |
aa0a29 |
old version of BIND (4.8.3 or earlier). In this case you'll have to
|
|
cvsdist |
aa0a29 |
contact the hostmaster for that secondary and have them kill the
|
|
cvsdist |
aa0a29 |
secondary servers, remove the saved backup file, and restart the
|
|
cvsdist |
aa0a29 |
server. Be careful when editing the serial number -- DNS admins
|
|
cvsdist |
aa0a29 |
don't like to kill and restart nameservers because you lose all that
|
|
cvsdist |
aa0a29 |
cached data.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
3.2 Zone file style guide
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Here are some useful tips in structuring your zone files. Following
|
|
cvsdist |
aa0a29 |
these will help you spot mistakes, and avoid making more.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Be consistent with the style of entries in your DNS files. If your
|
|
cvsdist |
aa0a29 |
$ORIGIN is podunk.xx., try not to write entries like:
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
mary IN A 1.2.3.1
|
|
cvsdist |
aa0a29 |
sue.podunk.xx. IN A 1.2.3.2
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
or:
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
bobbi IN A 1.2.3.2
|
|
cvsdist |
aa0a29 |
IN MX mary.podunk.xx.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Either use all FQDNs (Fully Qualified Domain Names) everywhere or
|
|
cvsdist |
aa0a29 |
used unqualified names everywhere. Or have FQDNs all on the right-
|
|
cvsdist |
aa0a29 |
hand side but unqualified names on the left. Above all, be
|
|
cvsdist |
aa0a29 |
consistent.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Use tabs between fields, and try to keep columns lined up. It makes
|
|
cvsdist |
aa0a29 |
it easier to spot missing fields (note some fields such as "IN" are
|
|
cvsdist |
aa0a29 |
inherited from the previous record and may be left out in certain
|
|
cvsdist |
aa0a29 |
circumstances.)
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Barr Informational [Page 12]
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
RFC 1912 Common DNS Errors February 1996
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Remember you don't need to repeat the name of the host when you are
|
|
cvsdist |
aa0a29 |
defining multiple records for one host. Be sure also to keep all
|
|
cvsdist |
aa0a29 |
records associated with a host together in the file. It will make
|
|
cvsdist |
aa0a29 |
things more straightforward when it comes time to remove or rename a
|
|
cvsdist |
aa0a29 |
host.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Always remember your $ORIGIN. If you don't put a `.' at the end of
|
|
cvsdist |
aa0a29 |
an FQDN, it's not recognized as an FQDN. If it is not an FQDN, then
|
|
cvsdist |
aa0a29 |
the nameserver will append $ORIGIN to the name. Double check, triple
|
|
cvsdist |
aa0a29 |
check, those trailing dots, especially in in-addr.arpa zone files,
|
|
cvsdist |
aa0a29 |
where they are needed the most.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Be careful with the syntax of the SOA and WKS records (the records
|
|
cvsdist |
aa0a29 |
which use parentheses). BIND is not very flexible in how it parses
|
|
cvsdist |
aa0a29 |
these records. See the documentation for BIND.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
3.3 Verifying data
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Verify the data you just entered or changed by querying the resolver
|
|
cvsdist |
aa0a29 |
with dig (or your favorite DNS tool, many are included in the BIND
|
|
cvsdist |
aa0a29 |
distribution) after a change. A few seconds spent double checking
|
|
cvsdist |
aa0a29 |
can save hours of trouble, lost mail, and general headaches. Also be
|
|
cvsdist |
aa0a29 |
sure to check syslog output when you reload the nameserver. If you
|
|
cvsdist |
aa0a29 |
have grievous errors in your DNS data or boot file, named will report
|
|
cvsdist |
aa0a29 |
it via syslog.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
It is also highly recommended that you automate this checking, either
|
|
cvsdist |
aa0a29 |
with software which runs sanity checks on the data files before they
|
|
cvsdist |
aa0a29 |
are loaded into the nameserver, or with software which checks the
|
|
cvsdist |
aa0a29 |
data already loaded in the nameserver. Some contributed software to
|
|
cvsdist |
aa0a29 |
do this is included in the BIND distribution.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
4. Miscellaneous Topics
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
4.1 Boot file setup
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Certain zones should always be present in nameserver configurations:
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
primary localhost localhost
|
|
cvsdist |
aa0a29 |
primary 0.0.127.in-addr.arpa 127.0
|
|
cvsdist |
aa0a29 |
primary 255.in-addr.arpa 255
|
|
cvsdist |
aa0a29 |
primary 0.in-addr.arpa 0
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
These are set up to either provide nameservice for "special"
|
|
cvsdist |
aa0a29 |
addresses, or to help eliminate accidental queries for broadcast or
|
|
cvsdist |
aa0a29 |
local address to be sent off to the root nameservers. All of these
|
|
cvsdist |
aa0a29 |
files will contain NS and SOA records just like the other zone files
|
|
cvsdist |
aa0a29 |
you maintain, the exception being that you can probably make the SOA
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Barr Informational [Page 13]
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
RFC 1912 Common DNS Errors February 1996
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
timers very long, since this data will never change.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
The "localhost" address is a "special" address which always refers to
|
|
cvsdist |
aa0a29 |
the local host. It should contain the following line:
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
localhost. IN A 127.0.0.1
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
The "127.0" file should contain the line:
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
1 PTR localhost.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
There has been some extensive discussion about whether or not to
|
|
cvsdist |
aa0a29 |
append the local domain to it. The conclusion is that "localhost."
|
|
cvsdist |
aa0a29 |
would be the best solution. The reasons given include:
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
"localhost" by itself is used and expected to work in some
|
|
cvsdist |
aa0a29 |
systems.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Translating 127.0.0.1 into "localhost.dom.ain" can cause some
|
|
cvsdist |
aa0a29 |
software to connect back to the loopback interface when it didn't
|
|
cvsdist |
aa0a29 |
want to because "localhost" is not equal to "localhost.dom.ain".
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
The "255" and "0" files should not contain any additional data beyond
|
|
cvsdist |
aa0a29 |
the NS and SOA records.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Note that future BIND versions may include all or some of this data
|
|
cvsdist |
aa0a29 |
automatically without additional configuration.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
4.2 Other Resolver and Server bugs
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Very old versions of the DNS resolver have a bug that cause queries
|
|
cvsdist |
aa0a29 |
for names that look like IP addresses to go out, because the user
|
|
cvsdist |
aa0a29 |
supplied an IP address and the software didn't realize that it didn't
|
|
cvsdist |
aa0a29 |
need to be resolved. This has been fixed but occasionally it still
|
|
cvsdist |
aa0a29 |
pops up. It's important because this bug means that these queries
|
|
cvsdist |
aa0a29 |
will be sent directly to the root nameservers, adding to an already
|
|
cvsdist |
aa0a29 |
heavy DNS load.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
While running a secondary nameserver off another secondary nameserver
|
|
cvsdist |
aa0a29 |
is possible, it is not recommended unless necessary due to network
|
|
cvsdist |
aa0a29 |
topologies. There are known cases where it has led to problems like
|
|
cvsdist |
aa0a29 |
bogus TTL values. While this may be caused by older or flawed DNS
|
|
cvsdist |
aa0a29 |
implementations, you should not chain secondaries off of one another
|
|
cvsdist |
aa0a29 |
since this builds up additional reliability dependencies as well as
|
|
cvsdist |
aa0a29 |
adds additional delays in updates of new zone data.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Barr Informational [Page 14]
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
RFC 1912 Common DNS Errors February 1996
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
4.3 Server issues
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
DNS operates primarily via UDP (User Datagram Protocol) messages.
|
|
cvsdist |
aa0a29 |
Some UNIX operating systems, in an effort to save CPU cycles, run
|
|
cvsdist |
aa0a29 |
with UDP checksums turned off. The relative merits of this have long
|
|
cvsdist |
aa0a29 |
been debated. However, with the increase in CPU speeds, the
|
|
cvsdist |
aa0a29 |
performance considerations become less and less important. It is
|
|
cvsdist |
aa0a29 |
strongly encouraged that you turn on UDP checksumming to avoid
|
|
cvsdist |
aa0a29 |
corrupted data not only with DNS but with other services that use UDP
|
|
cvsdist |
aa0a29 |
(like NFS). Check with your operating system documentation to verify
|
|
cvsdist |
aa0a29 |
that UDP checksumming is enabled.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
References
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
[RFC 974] Partridge, C., "Mail routing and the domain system", STD
|
|
cvsdist |
aa0a29 |
14, RFC 974, CSNET CIC BBN Laboratories Inc, January 1986.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
[RFC 1033] Lottor, M, "Domain Administrators Operations Guide", RFC
|
|
cvsdist |
aa0a29 |
1033, USC/Information Sciences Institute, November 1987.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
[RFC 1034] Mockapetris, P., "Domain Names - Concepts and Facilities",
|
|
cvsdist |
aa0a29 |
STD 13, RFC 1034, USC/Information Sciences Institute,
|
|
cvsdist |
aa0a29 |
November 1987.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
[RFC 1035] Mockapetris, P., "Domain Names - Implementation and
|
|
cvsdist |
aa0a29 |
Specification", STD 13, RFC 1035, USC/Information Sciences
|
|
cvsdist |
aa0a29 |
Institute, November 1987.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
[RFC 1123] Braden, R., "Requirements for Internet Hosts --
|
|
cvsdist |
aa0a29 |
Application and Support", STD 3, RFC 1123, IETF, October
|
|
cvsdist |
aa0a29 |
1989.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
[RFC 1178] Libes, D., "Choosing a Name for Your Computer", FYI 5, RFC
|
|
cvsdist |
aa0a29 |
1178, Integrated Systems Group/NIST, August 1990.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
[RFC 1183] Ullman, R., Mockapetris, P., Mamakos, L, and C. Everhart,
|
|
cvsdist |
aa0a29 |
"New DNS RR Definitions", RFC 1183, October 1990.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
[RFC 1535] Gavron, E., "A Security Problem and Proposed Correction
|
|
cvsdist |
aa0a29 |
With Widely Deployed DNS Software", RFC 1535, ACES
|
|
cvsdist |
aa0a29 |
Research Inc., October 1993.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
[RFC 1536] Kumar, A., Postel, J., Neuman, C., Danzig, P., and S.
|
|
cvsdist |
aa0a29 |
Miller, "Common DNS Implementation Errors and Suggested
|
|
cvsdist |
aa0a29 |
Fixes", RFC 1536, USC/Information Sciences Institute, USC,
|
|
cvsdist |
aa0a29 |
October 1993.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Barr Informational [Page 15]
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
RFC 1912 Common DNS Errors February 1996
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
[RFC 1537] Beertema, P., "Common DNS Data File Configuration Errors",
|
|
cvsdist |
aa0a29 |
RFC 1537, CWI, October 1993.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
[RFC 1713] A. Romao, "Tools for DNS debugging", RFC 1713, FCCN,
|
|
cvsdist |
aa0a29 |
November 1994.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
[BOG] Vixie, P, et. al., "Name Server Operations Guide for BIND",
|
|
cvsdist |
aa0a29 |
Vixie Enterprises, July 1994.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
5. Security Considerations
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Security issues are not discussed in this memo.
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
6. Author's Address
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
David Barr
|
|
cvsdist |
aa0a29 |
The Pennsylvania State University
|
|
cvsdist |
aa0a29 |
Department of Mathematics
|
|
cvsdist |
aa0a29 |
334 Whitmore Building
|
|
cvsdist |
aa0a29 |
University Park, PA 16802
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Voice: +1 814 863 7374
|
|
cvsdist |
aa0a29 |
Fax: +1 814 863-8311
|
|
cvsdist |
aa0a29 |
EMail: barr@math.psu.edu
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
|
|
cvsdist |
aa0a29 |
Barr Informational [Page 16]
|
|
cvsdist |
aa0a29 |
|